An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. […] Designated CVE-2020-10713, the vulnerability allows a miscreant to achieve code execution within the open-source bootloader, Read more about GRUB2, you’re getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system[…]

Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days. The navigation company was hit by a ransomware attack on Thursday, leaving customers unable to log fitness sessions in Garmin apps and pilots unable to download Read more about Will Garmin Pay $10 Million Ransom To End Two-Day Outage?[…]

Twitter said on Saturday that the perpetrators “manipulated a small number of employees and used their credentials” to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users. The former Read more about More than 1,000 people at Twitter had ability to aid hack of accounts[…]

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day. The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details Read more about Ongoing Meow attack has nuked >4,000 MongoDB and Elastic databases with default settings left on[…]

Garmin’s Connect service has been down for more than seven hours today to the frustration of fitness enthusiasts keen to upload running times or synchronise with other services such as Strava. So, too, is the company’s web shop and support forums. Users have expressed obvious concern that such an extended outage is indicative of a Read more about Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours[…]

The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as yesterday. As of Wednesday, sellers Read more about Instacart Customers’ Data Is Being Sold Online, but Instacart has it’s fingers in it’s ears, pretends nothing is wrong[…]

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to Read more about Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet[…]

Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack. Hackers Read more about Zoom fixed a vanity URL issue that could have led to phishing attacks[…]

Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization. The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This Read more about So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this[…]

In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 Read more about European police hacked encrypted phones used by thousands of criminals[…]

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take Read more about Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution[…]

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the Read more about Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public[…]

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 Read more about Massive spying on users of Google’s Chrome shows new security weakness[…]

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not. The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next Read more about Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…[…]

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download. Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records. Data Read more about 845GB of racy dating app records exposed to entire internet via leaky AWS buckets[…]

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around Read more about Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires[…]

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.” Some Read more about Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers[…]

WhatsApp claims it fixed an issue that was showing users’ phone numbers in Google search results, TechCrunch reports. The change comes after security researcher Athul Jayaram revealed that phone numbers of WhatsApp users who used the Click to Chat feature were being indexed in search. Click to Chat allows users to create a link with Read more about WhatsApp was exposing users’ phone numbers in Google search[…]

IBM’s cloud has gone down hard across the world. We’d love to tell you just how hard the service has hit the dirt, but even the Big Blue status page is intermittently unavailable: IBM Cloud status page … Click to enlarge Your humble hack has an IBM Cloud account, and when attempting to login in Read more about From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours[…]

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple Read more about Bug bounty platforms buy researcher silence, violate labor laws, critics say[…]

A report from consumer advocates Which? highlights the shockingly short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives. That lifespan varies between manufacturers: Most vendors were vague, with Beko offering “up to 10 years” and LG saying patches would be issued as Read more about Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen[…]

A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system. A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a Read more about Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system[…]

Adobe technicians scrambled on Wednesday to restore multiple cloud services after a severe outage left customers stranded. Starting around 0600 PDT (1300 UTC) Adobe’s status board began lighting up with red outage notifications. At the time this article was written, 13 major issues were ongoing and five had been resolved. By issues, Adobe means people Read more about Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud![…]